R*sk happens! Insights from risk maturity benchmark

The bad news is that R*sk happens! We all know that since we’re in the middle of lockdown and if the benchmark study were still live, risk would probably have affected 100% of businesses and skewed our results. Fortunately, the research comes from the risk maturity benchmark study that I conducted while leading business risk consulting at mid-size actuarial firm, Barnett Waddingham. During a 3-year study between 2016-18, I asked 150 companies in depth questions on every aspect of their risk management and culture, the type of risks they faced and whether these had materialised in a significant way during the previous 5 years. As luck would have it, this window excludes the current pandemic crisis and the previous global recession. Yet still during this relatively disaster-free period, nearly half of all companies confirmed they faced at least one serious risk or crisis events.

Proof that it’s worth it

Some of us struggle to convince senior executives to invest in risk management, indeed the business case is not strong.  The difficulty about risk management is it’s hard to prove it really works, its impossible to know what would have or could have happened, and it’s not easy to attribute business value as a result of risk management.  It was not our intention to prove the value of risk management but our model and the data around incidents showed some clear correlation between risk maturity and the rate of incidents of serious risk events.  We found, those that were most risk mature were better insulated from risk events compared to those that were on the bottom end of risk maturity.  Finally, empirical data that we risk managers bring meaningful business value and impact.

The model to follow

Benefiting from the rigour of actuaries, we are reasonably confident in the validity of the maturity model comprising three overlapping pillars.  The technical framework includes the practical tools, techniques, and activities deployed; the culture and capability speaks to the extent risk management awareness is communicated and behaviours visible through the organisation. And the Use Test seeks to measure the extent risk management is used in the key moments of decision making.  The data and the logic implies achieving risk maturity as defined will yield the results and benefits previously shown.  We think advancing across all three areas is a good objective for all organisations regardless of sector.  We heard many organisations tell us they were in the low maturity range or comment they didn’t feel they needed to be at the upper end of risk maturity.  This might be true in terms of sophisticated risk modelling and quantitative techniques which were included in the technical framework but did they think they didn’t need high scores on the other pillars as well?  Would they be suggesting they don’t need to embed risk management or don’t need to have it being used in decision making?  Did they think it was appropriate to have a tick the box risk function?  If you are in this situation, best to stop reading.

The status quo isn’t working

Despite 80% maintaining a risk register, 84% formally report and monitor risks at an Audit and/or Risk Committee and 74% employing a risk professional, the research still indicated risk maturity was still a challenge for most organisations.  For example less than half felt risk management was valued in decision making.  The data was further brought to life in the interviews where many felt frustrated and discouraged by the lack of influence and engagement at board and executive committee level.

Top tips from risk mature businesses

Despite broad consensus there was much room for improvement, I did hear some great tips and examples of what worked in risk mature organisations.

Enabling technology needed

Having established the importance of risk management, we learned only a quarter of organisations used risk management software with the majority dependent on MS Excel risk register spreadsheets, but most respondents recognised this was not fit for purpose.  It was the source of frustration and interest because nearly all that used risk software tools complained about user experience and complexity affecting stakeholder relationships and poor reporting, while those who hadn’t purchased risk software were worried about cost and couldn’t find anything that suited.  Our risk maturity benchmark found no correlation between risk maturity and the use of software.

My latest talk at the Risk Leadership Network

Last week I had an audience with the Risk Leadership Network and shared much of this content with a bit more covering how we should get to know our key stakeholders, how to position risk as a problem solving tool, and bring data into the risk discussion, the full slide deck is available for download here.